Are CIOs Ready For Cybersecurity Preparedness?

The recent high profile cyber attacks such as DDoS attacks on ISPs in Mumbai and Bangladesh Bank heist have prompted organizations frame strong security guidelines to tackle advanced cyber threats. Enterprises across the industry domain are increasingly becoming aware of growing cyber threats, both from external and internal sources. India, which is one of the top countries to witness ransomware attacks, is gearing up to counter online threats in a most efficient way.

A recent KPMG cybercrime study noted that 94 percent of businesses recognize cybercrime as a major threat to business. However, this may not necessarily translate to preparedness. Government policies and compliance issues are the biggest roadblock for security preparedness, while disruptive technologies such as cloud, IoT and mobility have made security landscape more complex than ever. Security undoubtedly has become the boardroom discussion, there is still a lot of scope in terms of preparedness for enterprises in India.

Preparedness of Enterprises

The recent Eset cyber savviness report revealed that Indian enterprises scored the lowest in the APAC region in terms of cyber security knowledge. This shows that there is still a lot of scope for preparedness among Indian enterprises, especially among SMEs. Nick FitzGerald, Senior Research Fellow at Eset believes that while advances in technology and heightened media attention lead to companies to purchase better security products, businesses cannot overlook the human factor in the cyber security preparedness. “No matter how effective technology-based solutions are, the end user is still a key factor in mitigating cyber threats. To enhance their preparedness for any emerging threats, businesses need to ensure that their employees have the right mindset towards security, and learn to take proactive steps against threats”, FitzGerald said.

There is very little awareness about the growing threat of insider attacks. The factors like enterprise mobility and BYOD provide a green field to insider cyber crooks. The damage from internal sources could be disastrous for any organization. Therefore, CIOs and CISOs cannot ignore the insider threat. A recent release from security firm Forcepoint states that out of the total budget allocation, 80 percent is spent on defending against external threats as against 20 per cent on internal threats. Altaf Halde, MD, Kaspersky Lab, SA says that enterprises should use new technologies and methods because each added layer helps reduce the risk. “The basic principles of ensuring security in corporate networks remain unchanged i.e humans. We are Kaspersky believe that the staff has to be trained because information security is not only the job of the corporate security service, but also the responsibility of every employee”, Halde said.

Experts say that only a few large Indian enterprises are at the same maturity as the enterprises in technologically advanced countries like US. This is mainly due to absence of strict laws and compliance. Similarly, in a bid to achieve higher business agility, enterprises often compromise on security as they feel that security layer would slow the business operations. The technologies such as cloud, mobility, big data have made the security landscape more complex. However, enterprises always, do not consider the security issues that are bundled with these technologies.

Nilesh Jain, Country Manager (India and SAARC), Trend Micro says that lack of awareness and time constrain are the major factors why CISOs and CIOs overlook security while deploying such technologies. “It is not that the good CIOs and CISOs do not want security, but unfortunately either they do not have time or they do not have complete awareness about security infrastructure they need to deploy within the organization. This is the reason why the preparedness is not upto the mark”, said Jain.

The integrity of a business relationship with its customers is at the heart of all good business practices. Hence, there is always a clash between security and privacy and when it comes to choosing between them, many IT leaders give preference to privacy. The recent legal dispute between Apple and the FBI is a case that exemplifies the conflict between privacy and security. Myla V. Pilao, Director, TrendLabs Marketing Communications, Trend Micro says that enterprises needs to acknowledge the fact that security is not a roadblock to privacy, rather they complement each other. “Many people think that security is a roadblock to privacy but is not. The organizations should see that how security can be the best guard to privacy as oppose to relaxing security so the privacy can come into play”, said Pilao.

Similarly, Govind Rammurthy, CEO at eScan says that security and privacy are central to security policies and deployment, which is driving CIOs to think differently while implementing security solutions. “ A strong IT policy deployed in an organization will resolve the issues of security and privacy to large extend, by keeping the accessibility of critical privacy data to limited users, while not compromising on overall network security of the organization”, said Rammurthy.

The security budgets among enterprises in India are steadily increasing which is itself a step towards securing business. According to Gartner, security spending will continue to grow in and security services are also expected to increase to 60 percent by 2019. “Since past 2 years, we have seen a shift of IT budget allocation with more budget being allocated to security in Indian enterprises which was not the case before. This indicates that the Indian Enterprises are getting more aware around the advanced threats which are prevalent globally and preparing their organizations to tackle them”, said Rajpreet Kaur, Senior Research Analyst at Gartner.

Cyber insurance is the latest buzz word in the security industry and though in a nascent stage, the concept is going to be the key element for companies who are looking at the full spectrum of cyber security preparedness. While one has to accept the fact that there is no 100 percent security, cyber security can effectively add another layer of security and mitigate risks. To enable that, companies need to consider the differences in insurance products offered across the market and find a right cyber framework that best suits their needs.

With a higher level of sophistication coming in the cybercrime industry, Enterprises across the domain are gearing up to tackle the advanced cyber threats. Organizations are building up resources as well as technology implementation to mitigate risks. Some of the enterprises from BFSI, IT, Infrastructure, Healthcare, and Ecommerce etc. are at forefront in implementing strong security measures while others in manufacturing, retail are little behind in adopting the new technologies. Therefore, it can be fairly said that enterprises are in constant look out for newer technology to thwart cyber threats. However, it requires a further boost from the decision makers and CIOs and CISOs can play a greater role in building a robust security architecture within the organization.

While many believe CIO's role is evolving and that he's occupying a key place in the boardroom, a recent study brings to light that more than half of the CIO, CTO or IT admin staff (55%) are not thanked by colleagues for carrying out essential IT tasks on their behalf.